Logic Coverage Criteria and Predicate Testing

Covering logic expressions is crucial in software testing, especially for safety critical systems. This chapter delves into various logic coverage criteria such as Subsumption, Combinatorial, Clause Coverage, and Predicate Coverage. Learn about logic predicates, clauses, examples, and the importance of testing and covering predicates in software testing.

• Software Testing
• Logic Coverage
• Predicate Testing
• Safety Critical Systems
• Testing Strategies

jliy Follow

Uploaded on Mar 03, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Introduction to Software Testing Chapter 3.2 Logic Coverage Paul Ammann & Jeff Offutt

2. Covering Logic Expressions Logic expressions show up in many situations Covering logic expressions is required by the US Federal Aviation Administration for safety critical software Logical expressions can come from many sources Decisions in programs FSMs and statecharts Requirements Tests are intended to choose some subset of the total number of truth assignments to the expressions

3. Logic Coverage Criteria Subsumption Combinatorial Clause Coverage CoC Restricted Inactive Clause Coverage RICC Restricted Active Clause Coverage RACC General Inactive Clause Coverage GICC Correlated Active Clause Coverage CACC Clause Coverage CC Predicate Coverage PC 3

4. Logic Predicates and Clauses A predicate is an expression that evaluates to a boolean value Predicates can contain boolean variables non-boolean variables that contain >, <, ==, >=, <=, != boolean function calls Internal structure is created by logical operators the negation operator the and operator the or operator the implication operator the exclusive or operator the equivalence operator A clause is a predicate with no logical operators

5. Examples (a < b) f (z) D (m >= n*o) Four clauses: (a < b) relational expression f (z) boolean-valued function D boolean variable (m >= n*o) relational expression Most predicates have few clauses Sources of predicates Decisions in programs Guards in finite state machines Decisions in UML activity graphs Requirements, both formal and informal SQL queries

6. Testing and Covering Predicates We use predicates in testing as follows : Developing a model of the software as one or more predicates Requiring tests to satisfy some combination of clauses Abbreviations: P is the set of predicates p is a single predicate in P C is the set of clauses in P Cp is the set of clauses in predicate p c is a single clause in C

7. Predicate and Clause Coverage The first (and simplest) two criteria require that each predicate and each clause be evaluated to both true and false Predicate Coverage (PC) : For each p in P, TR contains two requirements: p evaluates to true, and p evaluates to false. a.k.a. decision coverage in literature When predicates come from conditions on edges, this is equivalent to edge coverage PC does not evaluate all the clauses, so Clause Coverage (CC) : For each c in C, TR contains two requirements: c evaluates to true, and c evaluates to false. a.k.a. condition coverage in literature

8. Predicate Coverage Example ((a < b) D) (m >= n*o) predicate coverage Predicate = true a = 5, b = 10, D = true, m = 1, n = 1, o = 1 = (5 < 10) true (1 >= 1*1) = true true TRUE = true Predicate = false a = 10, b = 5, D = false, m = 1, n = 1, o = 1 = (10 < 5) false (1 >= 1*1) = false false TRUE = false

9. Clause Coverage Example ((a < b) D) (m >= n*o) Clause coverage D = true D = false (a < b) = true (a < b) = false D = true D = false a = 5, b = 10 a = 10, b = 5 m >= n*o = false m >= n*o = true m = 1, n = 2, o = 2 m = 1, n = 1, o = 1 Two tests 1) a = 5, b = 10, D = true, m = 1, n = 1, o = 1 2) a = 10, b = 5, D = false, m = 1, n = 2, o = 2

10. Problems with PC and CC PC does not fully exercise all the clauses, espe cially in the presence of short circuit evaluation CC does not always ensure PC That is, we can satisfy CC without causing the predi cate to be both true and false Ex. x > 3 x > 1 Two test cases { x=4, x=0} satisfy CC but not PC Condition/decision coverage is a hybrid metric composed by CC union PC

11. Modified condition/decision coverage (MCDC) Standard requirement for safety critical systems such as avionics (e.g., DO 178A/B/C) Modified condition/decision coverage (MCDC) requires Satisfying CC and DC, and every condition in a decision should be shown to independently affect that decision's outcome Example: C = A || B Which test cases are necessary to satisfy Condition coverage Decision coverage Condition/decision coverage MCDC coverage A B C TC1 T T T TC2 T F T TC3 F T T TC4 F F F

12. Minimum Testing to Achieve MCDC [Chilenski and Miller 94] For C = A && B, All conditions (i.e., A and B) should be true so that decision (i.e., C) becomes true 1 test case required Each and every input should be exclusively false so that decision becomes false. 2 (or n for n-ary and) test cases required For C= A || B All conditions (i.e., A and B) should be false so that decision (i.e., C) becomes false 1 test case required Each and every input should be exclusively true so that decision becomes true. 2 (or n for n-ary or) test cases required A B C TC1 T T T TC2 T F F TC3 F T F TC4 F F F A B C TC1 T T T TC2 T F T TC3 F T T TC4 F F F

13. Combinatorial Coverage CoC requires every possible combination Sometimes called Multiple Condition Coverage Combinatorial Coverage (CoC) : For each p in P, TR has test requirements for the clauses in Cp to evaluate to each possible combination of truth values. ((a < b) D) (m >= n*o) a < b D T T T T F F F F m >= n*o T F T F T F T F 1 2 3 4 5 6 7 8 T T F F T T F F T F T F T F F F 13

14. Combinatorial Coverage This is simple, neat, clean, and comprehensive But quite expensive! 2N tests, where N is the number of clauses Impractical for predicates with more than 3 or 4 clauses The literature has lots of suggestions some confusing The general idea is simple: Test each clause independently from the other clauses Getting the details right is hard What exactly does independently mean ? The book presents this idea as making clauses active

15. Active Clauses Clause coverage has a weakness The values do not always make a difference to a whole predicate To really test the results of a clause, the clause should be the determining factor in the value of the predicate Determination : A clause ci in predicate p, called the major clause, determines p if and only if the values of the remaining minor clauses cj are such that changing ci changes the value of p This is considered to make the clause ci active

16. Determining Predicates P = A B P = A B if B = true, p is always true. if B = false, p is always false. so if B = false, A determines p. so if B = true, A determines p. if A = false, B determines p. if A = true, B determines p. Goal : Find tests for each clause when the clause determines the value of the predicate This is formalized in several criteria that have subtle, but very important, differences

17. Active Clause Coverage Active Clause Coverage (ACC) : For each p in P and each major clause ciin Cp, choose minor clauses cj, j != i, so that ci determines p. TR has two requirements for each ci : cievaluates to true and ci evaluates to false. p = a b a is major clause 1) a = true, b = false 2) a = false, b = false b is major clause 3) a = false, b = true 4) a = false, b = false Duplicate This is a form of MCDC, which is required by the Federal Avionics Admini stration (FAA) for safety critical software Ambiguity : Do the minor clauses have to have the same values when the major clause is true and false?

18. Resolving the Ambiguity p = a (b c) Major clause : a Is this allowed ? a = true, b = false, c = true a = false, b = false, c = false c = false This question caused confusion among testers for years Considering this carefully leads to three separate criteria : Minor clauses do need to be the same (RACC) Minor clauses do not need to be the same but force the predicate to become b oth true and false (CACC)

19. Restricted Active Clause Coverage Restricted Active Clause Coverage (RACC) : For each p in P and each major clause ci in Cp, choose minor clauses cj, j != i, so that ci determines p. TR has two requirements for each ci: ci evaluates to true and ci evaluates to false. The values chosen for the minor clauses cj must be the same when ci is true as when ci is false, that is, it is required that cj(ci = true) = cj(ci = false) for all cj. This has been a common interpretation of MCDC by aviation developers Often called unique-cause MCDC RACC often leads to infeasible test requirements There is no logical reason for such a restriction

20. Correlated Active Clause Coverage Correlated Active Clause Coverage (CACC) : For each p in P and each major clause ci in Cp, choose minor clauses cj, j != i, so that ci determines p. TR has two requirements for each ci: cievaluates to true and ci evaluates to false. The values chosen for the minor clauses cj must cause p to be true for one value of the major clause ci and false for the other, that is, it is required that p(ci = true) != p(ci = false). A more recent interpretation Also known as Masking MCDC Implicitly allows minor clauses to have different values Explicitly satisfies (subsumes) predicate coverage

21. CACC and RACC a (b c) T T T F F F a (b c) T F T F T F a a b c a a b c 1 2 3 5 6 7 T T T F F F F T T F T T F T F T T F T 1 5 2 6 3 7 T F T F T F F T T T T F F T T F F T T T F T F T T T T F F major clause major clause CACC can be satisfied by choosing any of rows 1, 2, 3 AND any of rows 5, 6, 7 a total of nine pairs RACC can only be satisfied by one of the three pairs above 21

22. Inactive Clause Coverage The active clause coverage criteria ensure that major clauses do affect the predicates Inactive clause coverage takes the opposite approach major clauses do not affect the predicates Inactive Clause Coverage (ICC) : For each p in P and each major clause ci in Cp, choose minor clauses cj, j != i, so that ci does not determine p. TR has four requirements for each ci: (1) ci evaluates to true with p true (2) ci evaluates to false with p true (3) cievaluates to true with p false, and (4) ci evaluates to false with p false.

23. General and Restricted ICC Unlike ACC, the notion of correlation is not relevant ci does not determine p, so cannot correlate with p Predicate coverage is always guaranteed General Inactive Clause Coverage (GICC) : For each p in P and each major clause ci in Cp, choose minor clauses cj, j != i, so that ci does not determine p. The values chosen for the minor clauses cj do not need to be the same when ci is true as when ci is false, that is, cj(ci = true) = cj(ci = false) for all cj OR cj(ci = true) != cj(ci = false) for all cj. Restricted Inactive Clause Coverage (RICC) : For each p in P and each major clause ci in Cp, choose minor clauses cj, j != i, so that ci does not determine p. The values chosen for the minor clauses cj must be the same when ci is true as when ci is false, that is, it is required that cj(ci = true) = cj(ci = false) for all cj.

24. Logic Coverage Criteria Subsumption Combinatorial Clause Coverage CoC Restricted Inactive Clause Coverage RICC Restricted Active Clause Coverage RACC General Inactive Clause Coverage GICC Correlated Active Clause Coverage CACC Clause Coverage CC Predicate Coverage PC 24

25. Making Clauses Determine a Predicate Finding values for minor clauses cj is easy for simple predicates But how to find values for more complicated predicates ? Definitional approach: pc=true is predicate p with every occurrence of c replaced by true pc=false is predicate p with every occurrence of c replaced by false To find values for the minor clauses, connect pc=true and pc=false with exclusive OR pc = pc=true pc=false After solving, pc describes exactly the values needed for c to deter mine p Note that we have to calculate pc /\ p=true and/or pc /\ p=false to get values for minor clauses for Inactive Coverage Criteria

26. Examples p = a b p = a b pa = pa=true pa=false = (true b) XOR (false b) = true XOR b = b pa = pa=true pa=false = (true b) (false b) = b false = b p = a (b c) pa = pa=true pa=false = (true (b c)) (false (b c)) = true (b c) = (b c) = b c NOT b NOT c means either b or c can be false RACC requires the same choice for both values of a, CACC does not

27. A More Subtle Example p = ( a b ) ( a b) pa = pa=true pa=false = ((true b) (true b)) ((false b) (false b)) = (b b) false = true false = true p = ( a b ) ( a b) pb = pb=true pb=false = ((a true) (a true)) ((a false) (a false)) = (a false) (false a) = a a = false a always determines the value of this predicate b never determines the value b is irrelevant !

28. Infeasible Test Requirements Consider the predicate: (a > b b > c) c > a (a > b) = true, (b > c) = true, (c > a) = true is infeasible As with graph-based criteria, infeasible test requirements have to be recognized and ignored Recognizing infeasible test requirements is hard, and in general, undecidable

29. Example p = a ( b c) a b c p pa T pb F pc T All pairs of rows satisfying CACC a: {1,3,4} x {5,7,8}, b: {(2,4)}, c:{(1,2)} All pairs of rows satisfying RACC a: {(1,5),(3,7),(4,8)} Same as CACC pairs for b, c GICC a: {(2,6)} for p=F, no feasible pair for p=T b: {5,6}x{7,8} for p=F, {(1,3) for p=T c: {5,7}x{6,8} for p=F, {(3,4)} for p=T RICC a: same as GICC b: {(5,7),(6,8)} for p=F, {(1,3)} for p=T c: {(5,6),(7,8)} for p=F, {(3,4)} for p=T 1 T T T T 2 T T F F F T T 3 T F T T T F F 4 T F F T T T F 5 F T T F T F F 6 F T F F F F F 7 F F T F T F F 8 F F F F T F F Conditions under which each of the clauses determines p pa: ( b c) pb: a c pc: a b

30. Logic Coverage Summary Predicates are often very simple in practice, most have less t han 3 clauses In fact, most predicates only have one clause ! With only clause, PC is enough With 2 or 3 clauses, CoC is practical Advantages of ACC and ICC criteria significant for large predicates CoC is impractical for predicates with many clauses Control software often has many complicated predicates, with lots of clauses Question why don t complexity metrics count the number of clauses in predicates?

31. 31

32. Logic Coverage Criteria Subsumption Combinatorial Clause Coverage CoC Restricted Inactive Clause Coverage RICC Restricted Active Clause Coverage RACC Correlated Active Clause Coverage CACC General Inactive Clause Coverage GICC General Active Clause Coverage GACC Clause Coverage CC Predicate Coverage PC 32

33. General Active Clause Coverage General Active Clause Coverage (GACC) : For each p in P and each major clause ciin Cp, choose minor clauses cj, j != i, so that cidetermines p. TR has two requirements for each ci : ci evaluates to true and ci evaluates to false. The values chosen for the minor clauses cj do not need to be the same when ci is true as when ci is false, that is, cj(ci = true) = cj(ci = false) for all cj OR cj(ci = true) != cj(ci = false) for all cj. It is possible to satisfy GACC without satisfying predicate coverage Ex. p = a b, {TT, FF} satisfies GACC, but not PC We want to cause predicates to be both true and false !